How to maintain consistent encryption keys in MongoDB client field-level encryption?

王林
Release: 2024-02-06 09:00:13
forward
492 people have browsed it

How to maintain consistent encryption keys in MongoDB client field-level encryption?

Question content

I am using MongoDB client-side field-level encryption to encrypt and decrypt data. However, I noticed that every time I execute the program, the original binary key changes. This makes it difficult for me to retrieve previously encrypted data because I can't decrypt it with the new key.

Is there a way to maintain consistent encryption keys for client-side field-level encryption in MongoDB? If so, how can I do it?

https://www.mongodb.com/docs/manual/core/csfle/fundamentals/manual-encryption/#std-label-csfle-fundamentals-manual-encryption

https://go.dev/play/p/6W8e0OiPV2L

I'm trying to implement client-side field-level encryption in a MongoDB community project so that certain fields in a document are encrypted before being stored in the database, and then decrypted when retrieving them from the database.

I have been following the MongoDB documentation and was able to successfully encrypt and decrypt data the first time I executed the program. However, I noticed that the key changes every time I run the program again, and I want to keep the key the same.


Correct Answer


These lines should be deleted:

// drop the key vault collection in case you created this collection
// in a previous run of this application.
if err = client.database(keyvaultdb).collection(keyvaultcoll).drop(context.todo()); err != nil {
    log.fatalf("collection.drop error: %v", err)
}
Copy after login

The following line is only required if the key does not already exist:

dataKeyID, err := clientEnc.CreateDataKey(context.TODO(), provider, dataKeyOpts)
if err != nil {
    log.Fatalf("CreateDataKey error: %v", err)
}
Copy after login

Maybe first call clientenc.getkeybyaltname to check if the key exists.

By saying "the original binary key changes", I think you mean the data encryption key (dek) changes. This is caused by the collection where dek is stored being deleted.

See Keys and Key Vaults:

The customer master key (cmk) is the key you use to encrypt the data encryption key (dek)....

The data encryption key (dek) is the key used to encrypt fields in mongodb documents. You store your data encryption keys in a key vault collection encrypted using cmk...

If you delete a data encryption key (dek), all fields encrypted with that dek will become permanently unreadable.

If you remove a cmk, all fields encrypted by dek encrypted using that cmk will become permanently unreadable.

The above is the detailed content of How to maintain consistent encryption keys in MongoDB client field-level encryption?. For more information, please follow other related articles on the PHP Chinese website!

source:stackoverflow.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!